I am setting up a small CentOS-5.3 host to act as a router. I have the device configured and working. What I am trying to accomplish now is configuring the firewall so as to protect both the router and the LAN. The host configuration has the WAN attached to eth0 (IP_ADDR = A) and the LAN attached to eth1 (IP_ADDR = B). The default gateway for B is A. The default gateway for B is B-1. There is a static route set for eth0 (A) to route traffic for B/24 to B. My understanding is that INCOMING packets, for the purposes of iptables, originate outside the host interfaces and that OUTGOING packets originate from, or are forwarded across, the host itself. So, as I understand things, traffic from network C/24 destined to B/24 comes IN eth0, is forwarded to eth1, and then goes OUT eth1. Similarly, traffic from B/24 to C/24 comes IN eth1 and goes OUT eth0. Is my understanding correct? I have set up four custom chains, one each for IN and OUT on each of the two eth i/f. Incoming packets for eth0 are sent to the WAN-IN-CHAIN, outgoing are sent to the WAN-OUT-CHAIN. In a similar fashion I have LAN-IN-CHAIN and LAN-OUT-CHAIN. My confusion arises from trying to setup an iptables filter on the WAN-In-CHAIN so that traffic arriving to eth0 cannot connect to either A or B, but can nonetheless pass through B to B/24. I cannot seem to discover an arrangement whereby I can do this and still maintain network connectivity to B/24 from a console session running on the router itself. Further, I wish to prevent any incoming connection from the WAN for any source address purporting to belong to the B/24 netblock (IP spoofing). Again, whatever arrangements that I try, whenever I enable such a rule I lose network connectivity from the console session to the LAN. I would appreciate some guidance and an explanation of what fundamental issue it is that I am missing. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On Fri, 7 Aug 2009, James B. Byrne wrote:> I am setting up a small CentOS-5.3 host to act as a router. I have > the device configured and working. What I am trying to accomplish > now is configuring the firewall so as to protect both the router and > the LAN. [....]In the past, I'd have tried to craft the iptables rules by hand. Now, older and lazier, I rely on shorewall. Shorewall generally produces pretty good rules. You can "compile" your logic to iptables rules without implementing them, so you could use shorewall to generate a set of rules that essentially do what you want, look them over, and then revise/implement the ones you like. -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
James B. Byrne wrote:> My understanding is that INCOMING packets, for the purposes of > iptables, originate outside the host interfaces and that OUTGOING > packets originate from, or are forwarded across, the host itself. > So, as I understand things, traffic from network C/24 destined to > B/24 comes IN eth0, is forwarded to eth1, and then goes OUT eth1. > Similarly, traffic from B/24 to C/24 comes IN eth1 and goes OUT > eth0. Is my understanding correct? >No. You don't have it right. INPUT packets are packets destined for the router own IP addresses (not going to any other machines) FORWARD packets are packets being routed through the router (but not targeted for the routers own IP addresses) OUTPUT packets are packets originated from the router itself (not packets being routed from other machines). -- Benjamin Franz
Hi, On Fri, Aug 7, 2009 at 12:07, James B. Byrne<byrnejb at harte-lyne.ca> wrote:> The host configuration has the WAN attached to eth0 (IP_ADDR = A) > and the LAN attached to eth1 (IP_ADDR = B). ?The default gateway for > B is A. ?The default gateway for B is B-1.This statement does not make any sense to me... Could you please use real IPs where possible and fake IPs (be consistent) where you don't want to disclose your private information?> My understanding is that INCOMING packets, for the purposes of > iptables, originate outside the host interfaces and that OUTGOING > packets originate from, or are forwarded across, the host itself. > So, as I understand things, traffic from network C/24 destined to > B/24 comes IN eth0, is forwarded to eth1, and then goes OUT eth1. > Similarly, traffic from B/24 to C/24 comes IN eth1 and goes OUT > eth0. ?Is my understanding correct?If packets are traversing the router, you should add rules in the FORWARD chain and not INPUT and OUTPUT (those apply only to packets destined at the router). You must also enable forwarding by adding this to /etc/sysctl.conf: net.ipv4.ip_forward = 1 And then running as root: sysctl -p> I have set up four custom chains, one each for IN and OUT on each of > the two eth i/f. ?Incoming packets for eth0 are sent to the > WAN-IN-CHAIN, outgoing are sent to the WAN-OUT-CHAIN. ?In a similar > fashion I have LAN-IN-CHAIN and LAN-OUT-CHAIN.Also, very confusing. How do those relate to INPUT, OUTPUT and FORWARD? Could you please post the rules you are using, maybe anonymizing the external IPs for privacy?> Further, I wish to prevent any incoming connection from the WAN for > any source address purporting to belong to the B/24 netblock (IP > spoofing). Again, whatever arrangements that I try, whenever I > enable such a rule I lose network connectivity from the console > session to the LAN.Please post the rules you are trying. If you don't, there is no way we can tell you what is wrong there... HTH, Filipe
On Fri, August 7, 2009 12:07, James B. Byrne wrote:> I am setting up a small CentOS-5.3 host to act as a router. I have > the device configured and working. What I am trying to accomplish > now is configuring the firewall so as to protect both the router and > the LAN.Thank you for the replies. I have been reading about iptables all weekend and have clarified a number of misconceptions that I had. I have a few specific questions wrt rp_filter. Is this set anywhere in the startup scripts that ship with CentOS? If so then where? How would one best configure this setting or should it be left off, as I believe that it is by default? Does it make any sense to enable this on the eth0 i/f given that eth0 is the WAN i/f? Sincerely, -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3